我正在尝试测试我的一个 @RestController
的访问权限,它由自定义 Spring Security 配置保护。我的用例如下:到 /someEndpoint
的 HTTP GET
是通过身份验证保护的,但是对同一端点的 HTTP POST
请求不是安全。当我启动应用程序并使用我的前端或 Postman 对其进行测试时,它工作正常。
现在我正在尝试使用带有安全配置的 MockMvc
编写测试。我已经在 StackOverflow 上找到了很多答案,但没有任何帮助。
我的测试设置如下所示:
@RunWith(SpringRunner.class)
@WebMvcTest(controllers = MyController.class)
@WebAppConfiguration
@ContextConfiguration
public class AssessmentControllerTest {
private MockMvc mockMvc;
@Autowired
private WebApplicationContext webApplicationContext;
@Before
public void init() throws Exception {
this.mockMvc = MockMvcBuilders.webAppContextSetup(webApplicationContext)
.alwaysDo(print())
.apply(SecurityMockMvcConfigurers.springSecurity())
.build();
}
// some test methods
}
通过此设置,我的所有端点都受到保护,甚至 HTTP POST
也会返回 401
而不是 201
。为了安全起见,我还启用了调试日志,在调试日志中,它说测试使用了 default configure(HttpSecurity)
并且我在日志中找不到任何 AntMatchers:
2018-07-04 19:20:02.829 DEBUG 2237 --- [ main] s.s.c.a.w.c.WebSecurityConfigurerAdapter : Using default configure(HttpSecurity). If subclassed this will potentially override subclass configure(HttpSecurity).
2018-07-04 19:20:03.097 DEBUG 2237 --- [ main] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'authenticated', for org.springframework.security.web.util.matcher.AnyRequestMatcher@1
2018-07-04 19:20:03.127 DEBUG 2237 --- [ main] o.s.s.w.a.i.FilterSecurityInterceptor : Validated configuration attributes
2018-07-04 19:20:03.130 DEBUG 2237 --- [ main] o.s.s.w.a.i.FilterSecurityInterceptor : Validated configuration attributes
2018-07-04 19:20:03.161 INFO 2237 --- [ main] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@5a75ec37, org.springframework.security.web.context.SecurityContextPersistenceFilter@3f736a16, org.springframework.security.web.header.HeaderWriterFilter@529c2a9a, org.springframework.security.web.csrf.CsrfFilter@7f93dd4e, org.springframework.security.web.authentication.logout.LogoutFilter@707b1a44, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@26c89563, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@1e0a864d, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@22ebccb9, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@53abfc07, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@4aa21f9d, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@2c05ff9d, org.springframework.security.web.session.SessionManagementFilter@26bbe604, org.springframework.security.web.access.ExceptionTranslationFilter@4375b013, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@a96d56c]
2018-07-04 19:20:03.236 INFO 2237 --- [ main] o.s.b.t.m.w.SpringBootMockServletContext : Initializing Spring FrameworkServlet ''
2018-07-04 19:20:03.237 INFO 2237 --- [ main] o.s.t.web.servlet.TestDispatcherServlet : FrameworkServlet '': initialization started
通常可以在 MockMvc
测试期间使用我的具体 Spring Security 配置,还是我必须在测试期间使用 @SpringBootTest
启动整个 Spring 上下文?我正在使用(带有 Java 1.8 的 Spring Boot 2.0.3.RELEASE)
提前致谢!
最佳答案
在 spring-boot 2.x 中,无法再通过属性切换安全性。您必须编写一个自己的 SecurityConfiguration,它必须添加到您的测试上下文中。此安全配置应允许任何未经身份验证的请求。
@Configuration
@EnableWebSecurity
public class TestSecurityConfiguration extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests().anyRequest().permitAll();
}
@Override
public void configure(WebSecurity web) throws Exception{
web.debug(true);
}
}
测试类注解:
@ContextConfiguration(classes = { ..., TestSecurityConfiguration.class })
public class MyTests {...
关于java - 如何在 MockMvc 测试期间使用正确的 Spring Security 配置,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/51178645/